Who is ShinyHunters?

Last updated 9 May 2026.

ShinyHunters is an active financially-motivated cybercrime group that operates by breaching corporate or SaaS vendors, exfiltrating large customer datasets, and demanding ransom in cryptocurrency under threat of public release. The group has been active since 2020 and has been linked to dozens of high-profile breaches, including the Jaguar Land Rover attack in 2025 and, most recently, the Canvas / Instructure breach in May 2026 affecting roughly 9,000 schools and universities (Source: BBC News, 9 May 2026).

The group typically claims responsibility through a public ransom note, dark-web forum posts, or messages embedded in the breached product itself.

• May 2026: Instructure (Canvas), 9,000 institutions affected
• 2025: Jaguar Land Rover (economically damaging incident, full impact undisclosed)
• 2020 to 2025: A long string of corporate data dumps, including telecoms, retail, and SaaS providers, sold via dark-web markets

Dates and impact figures track public reporting; the group itself does not always publish dates accurately.

A typical ShinyHunters campaign follows four phases:

1. Initial access. Often via stolen credentials from infostealer malware, phishing, or known software vulnerabilities. AI-generated phishing has lowered the cost of step 1 significantly.
2. Lateral movement and exfiltration. The group prioritises stealing data over destruction. They want bulk records that can be either ransomed or sold.
3. Demand. A ransom note appears on user screens or via email. The note demands cryptocurrency, usually bitcoin, with a deadline.
4. Public pressure. If the deadline lapses, the group releases samples or full datasets to force payment from any remaining holdouts.

The Canvas attack followed phases 1 to 3 visibly: students reported the ransom note appearing mid-exam.

Three defensive shifts blunt this category of attack at the school level:

• AI-driven email and phishing filtering catches the AI-generated phishing emails that fuel step 1. Microsoft Defender baseline does not. AI-native vendors like Coro (95% automated incident resolution across endpoint and email) raise the bar.
• Behavioural anti-data-exfiltration on every device prevents the bulk exfil that makes step 2 profitable. BlackFog zero-trust, zero-day AI algorithms are designed for this exact step.
• Continuous external attack-surface monitoring (Hadrian) finds the credential leaks and exposed assets that ShinyHunters scans for as step 1 entry points.

None of these guarantees the vendor running your software stays clean. They do guarantee that your school is not the easiest path through that vendor.

Three actions to do this week:

1. Patch and update every endpoint, every server, and every app that has had a security advisory in the last 90 days. Many ShinyHunters entry points exploit unpatched known vulnerabilities.
2. Force MFA on every administrative account. If MFA is already mandatory, audit the exception list and remove the exceptions.
3. Brief staff in writing: do not click links in emails about the Canvas breach unless the email was sent through your usual school comms channel. Phishing campaigns ride on the news.